SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Computing
1. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computingby:Thomas A. Kulik, PartnerScheef & Stone, L.L.P.Dallas Bar Association – Computer Law SectionSeptember 27, 2010
2. About the Presenter Tom Kulik is a Partner in Scheef & Stone, L.L.P. and chairs the firm’s Intellectual Property Practice Group out of its headquarters in Dallas, Texas. With an understanding of how intellectual property assets influence business, he strategically counsels clients on matters involving the evaluation, acquisition, development and protection of intellectual property rights, with an emphasis on creatively leveraging such assets both domestically and internationally. Prior to matriculation in law school, he was an award-winning systems engineer for 3Com Corporation, where he was responsible for local and wide-area network architecture and design supporting both Fortune 500 and start-up companies in the computer services, financial and pharmaceutical industries. Leveraging this industry experience, his practice focuses on intellectual property transactions, particularly within the context of the computer software, emerging Internet technologies and e-commerce, and includes an extensive trademark preparation and prosecution practice and attendant intellectual property litigation.
4. …and What is “Cloud Computing”? “SaaS” “PaaS” “IaaS”
5. “Cloud Computing” – A Hazy Phrase for a Foggy (Evolving) Concept “As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "computing," the meaning gets bigger and fuzzier…[but essentially] encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT's existing capabilities.” What Cloud Computing Really Means, Eric Knor & Galen Gruman, InfoWorld, 2009
6. “Cloud Computing” Definition – The National Institute of Standards and Technology “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of fiveessential characteristics, threeservice models, and fourdeployment models.” The NIST Definition of Cloud Computing, Peter Mell and Tim Grance, Version 15, October 7, 2009
7.
8. Broad network access – services available through the network to cellphones, PDAs, laptops, iPads, etc.
31. Composition of 2 or more distinct clouds “bound together by standardized or proprietary technology that enables data and application portability”
35. Why the Cloud Model? A “Perfect Storm” Economics - IT capital cost pressures pushing for better ROI More for Less - Technological Innovation is permitting: Better communications bandwidth availability Improved microprocessor/bus speeds Increased storage capabilities “Virtualization” – easier for CSPs to maximize infrastructure for the services provided and offload much IT management
55. Graham Leach Bliley Act - Financial institutions must have policies/procedures in place to protect “non-public personal financial information” from improper disclosure
56. HIPAA/HITECH Act – “Covered entities” required to notify affected persons of breach of unencrypted “personal health information”
57. FTC Safeguards Rule – Financial institutions required to have written security plan regarding customer’s private information
58. FTC Red Flags Rule – Institutions holding credit accounts must have written identity theft program
59. Stored Communications Act - protection from disclosure for emails and other private data that are in such electronic storage
60.
61. EU Data Protection Directive 95/46/EC – no transfer of data to countries OUTSIDE the EU unless they offer an “adequate level of protection” OR where exceptions apply...like the U.S. Safe Harbor List
62. U.S. Department of Commerce negotiated a safe harbor framework with the European Commission to “bridge” differences in privacy protection with EU member states
63. Certifying to the “safe harbor” will assure that EU organizations know that your company provides "adequate" privacy protection
64.
65. REVIEW CSP privacy policy AND security procedures for continuity with existing company procedures & guidelines (i.e. audit/reporting requirements, security breach notifications)
66. IDENTIFY and SPECIFY data security controls at the software level (i.e. encryption, firewalls), as well as physical security
89. The Legal Considerations in Cloud Computing: Contractual Considerations Google Apps Examples: “Representations. …Google warrants that it will provide the Services in accordance with the applicable SLA.” “Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS.
90. The Legal Considerations in Cloud Computing: Contractual Considerations Google Apps Examples: “Limitation on Indirect Liability.NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.” “Limitation on Amount of Liability.NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO GOOGLE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. “Governing Law. This Agreement is governed by California law, excluding that state’s choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA. “
98. Remote storage DVR system held not to be a violation of U.S. copyright law (See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008), cert. den’d129 S.Ct. 2890 (2009))
99. Opens door for Digital Entertainment Content Ecosystem (DECE) – a.k.a. “Ultraviolet” - purchase content once, then view in many formats and on many devices from cloud-based account
136. North Carolina Proposed 2010 Formal Ethics Opinion 7, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (April 15, 2010)
152. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computing Email: tom.kulik@solidcounsel.com LinkedIn: www.linkedin.com/in/tkulik Twitter: www.twitter.com/TomKulik (@TomKulik) Blog: www.legalintangibles.com
Notas del editor
Narrow Definition: “virtual” servers on the InternetBroad Definition: Anything outside the VPN
Community cloud shared concerns = mission, security requirements, policy, and compliance considerations Hybrid = cloud “bursting” for load balancing between clouds
Cloud Computing providers expose a set of software interfaces or APIsthat customers use to manage and interact with cloud services.Provisioning, management, orchestration, and monitoring are allperformed using these interfaces. The security and availability ofgeneral cloud services is dependent upon the security of these basicAPIs.From authentication and access control to encryption andactivity monitoring, these interfaces must be designed to protect againstboth accidental and malicious attempts to circumvent policy.Furthermore, organizations and third parties often build upon theseinterfaces to offer value-added services to their customers.
Psecond bullet: Liability for breach – Legislation (EU DPD) makes a distinction between a DATA CONTROLLER (party that defines the purpose AND means for data processing) vs. DATA PROCESSOR (a passive performer)-DATA CONTROLLER is liable toward DATA SUBJECTS-DATA CONTROLLER must choose between the right DATA PROCESSORS for the designated purpose, then negotiate appropriate contractual protection
How is U.S. different than EU in handling data privacy?-The United States uses a statel approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin.
Risk Allocation:Some CSPs (i.e. Google) will provide a limited infringement indemnity; others will not or otherwise attempt to ”pass-through” risk from CSPs own 3P providersMay disclaim “high-risk” activities, but don’t define “high-risk”:Google Apps: EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS. Bottom line: NOT your Grandma’s traditional outsourcing model!
Avoid “lock-in” – CSP agreements characterized by shorter, subscription-based terms-Control termination triggers; prevent abrupt/uncontrolled terminationsRemember: “click-through” model for many CSPs will not account for certain elements – (i.e. source code escrow NOT part of the standard CSP agreement)-Make inter-operabiity an issue – ensure compatibility with own systems, customer systems, 3P systems and foreseeable future technologiesBankruptcy: Data may be treated as non-intellectual asset and subject to different rules than for copyrighted matter under Section 365(n)-What about personal information? Look to privacy policy, but may not be so clear depending upon the nature of the personal information
Legacy model – many licenses prohibited use in a time-sharing or service-bureau environment – cloud model problematic where such restrictions ariseIP creation issues - For example, U.S. law dictates that a copyright vests in an author of an original work when such work is fixed in a tangible medium of expression. Where such works are created and saved by a foreign-national independent contractor for a client using software that resides on a server outside the U.S., whether the work is created under U.S. law, the copyright laws of a foreign territory or where the contractor is a national depend on a multitude of factors that will affect the rights vested in the client. -Remember: assignment of rights misses the pointTrade secrets – basically “CI-plus”, but must have policies/procedures in place that elevate the CI to trade secret status – how accomplished in the cloud?
2nd Circuit opinion - focused on Cablevision's proposed Remote Storage-Digital Video Recorder (RS-DVR) schematic, in which copies of a work in whole or in part were recorded on buffers prior to their being transmitted to customers' receiving equipment. The District Court presumed that those copies constituted the "embodiment" of the recorded work."The district court mistakenly limited its analysis primarily to the embodiment requirement," wrote Appeals Court Judge John M. Walker earlier today. "As a result of this error, once it determined that the buffer data was 'clearly . . . capable of being reproduced, i.e., that the work was embodied in the buffer, the district court concluded that the work was therefore 'fixed' in the buffer, and that a copy had thus been made."But buffers are temporary storage media, Judge Walker went on, designed only to harbor portions of files for a "transitory duration" -- in other words, just long enough to get the file transmitted and removed from memory. He cited an earlier court decision in favor of a repair service that had rescued a customer's hard drive, and in so doing had copied that customer's software -- allegedly illegally. Since the rescue copy was only for a "transitory duration," that court ruled, the duplication wasn't really a "copy" for practical purposes.In the case of RS-DVR, the transitory period was found to be no greater than 1.2 seconds. "While our inquiry is necessarily fact-specific, and other factors not present here may alter the duration analysis significantly," Judge Walker wrote, "these facts strongly suggest that the works in this case are embodied in the buffer for only a 'transitory' period, thus failing the duration requirement."So if the buffer doesn't truly constitute a copy, then the transmission doesn't constitute a "performance" of that copy.
The Stored Communications Act ("SCA", 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author's permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA. The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection: Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service --such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored -- such as a member of a private website, such as a MySpace page. This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing whoknowswhatelse to them -- with SCA-immunity.
Example:- CSP houses data across multiple servers in multiple countries-Subcontracts with 3P providers for facilities (i.e. disaster recovery) as well as peak-load surge demand for excess capacityIf breach – who is responsible?
Litigation:Plaintiff’s perspective: who do you serve the litigation hold on?Defendant’s perspective will the hold be acted upon in time? Do my 3P vendor contracts cover this possibility?
Litigation:Plaintiff’s perspective: who do you serve the litigation hold on?Defendant’s perspective will the hold be acted upon in time? Do my 3P vendor contracts cover this possibility?
Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable
Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable
Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable